4757684 2000-02-02 23:19 /53 rader/ Postmaster
Mottagare: Bugtraq (import) <9614>
Ärende: vulnerability in Linux Debian default boot configuration
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit
Message-ID: <20000202113937.A47007@enst.fr>
Date: Wed, 2 Feb 2000 11:39:37 +0100
Reply-To: Pierre Beyssac <beyssac@ENST.FR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Pierre Beyssac <beyssac@ENST.FR>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
The recent stable releases (at least 2.0, 2.1 and soon-to-be-released
2.2 -- Hamm, Slink and Potato) of the Debian Linux distributions
use a dangerous MBR in their default installation. Maybe this
applies to older releases as well but I haven't been able to check
these.
When the SHIFT key is pressed during the boot, the installed MBR
displays the string "1FA:" then waits for a keypress. It then boots
a floppy if the F key is pressed, bypassing any security measures.
This happens:
- regardless of the BIOS configuration (even with floppy
boot disabled and password-protected configuration).
- regardless of Lilo (or other) configuration: this happens
before Lilo is even started, so putting a password on
Lilo is of no use.
Since this MBR is installed by default during the installation
(unless the user chooses to keep the previous MBR, which is not
the natural choice for an installation from scratch, and is not
the default choice anyway), many sites are probably vulnerable even
though they have taken the usual steps to prevent tampering with
the boot process.
Quick fix: use Lilo's MBR by putting "boot=/dev/hda" (or equivalent)
instead of "boot=/dev/hda1" in your Lilo configuration to install
a barebones MBR.
Thanks to Patrice Piétu <Patrice.Pietu@enst.fr>, Thomas Quinot
<Thomas.Quinot@enst.fr> and Samuel Tardieu <Samuel.Tardieu@enst.fr>
for their help in tracking down the source of this problem and
finding a fix.
[ Note: this has been registered as Debian bug ID 56821, but has
just been downgraded as a mere "wishlist" item, so clearly it is
not given the attention it deserves. ]
--
Pierre Beyssac pb@enst.fr
(4757684) ------------------------------------------
4761480 2000-02-03 22:12 /118 rader/ Postmaster
Mottagare: Bugtraq (import) <9636>
Ärende: Re: vulnerability in Linux Debian default boot configuration
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000203145216.W50448@enst.fr>
Date: Thu, 3 Feb 2000 14:52:16 +0100
Reply-To: Pierre Beyssac <beyssac@ENST.FR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Pierre Beyssac <beyssac@ENST.FR>
X-To: Brian Almeida <bma@debian.org>
X-cc: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000203074852.A14013@debian.org>; from Brian Almeida on Thu
Feb 03, 2000 at 07:48:52AM -0500
On Thu, Feb 03, 2000 at 07:48:52AM -0500, Brian Almeida wrote:
> A 100+ message flamewar on debian-devel@lists.debian.org isn't enough
> 'attention' for you, is it. It has been thoroughly discussed there. I invite
Except it happened the other way around: the flame war came just
after I wrote the post to Bugtraq. Check the date; I wrote it soon
after I got noticed that the priority of the bug report was
downgraded.
> anyone who wants to read the list archives (available on www.debian.org).
> In any case, it has been resolved.
Granted. But not with the resolution description you forwarded
("disables the floppy option from the first mbr prompt") : it was
not enough of a fix because it still allowed the "A" menu.
The final fix, which I tend to agree with, is to disable by default
the "extended features" of this MBR:
To: 56821-done@bugs.debian.org
Subject: Boot floppies 2.2.6 has been uploaded. (Was: Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD])
Message-ID: <87u2jqizug.fsf_-_@bittersweet.intra>
Boot floppies 2.2.6 has been uploaded.
Starting with this version of `boot-floppies', `install-mbr' is run
with `--interrupt n', so that it is not interruptable during boot;
that is, holding shift will NOT display the MBR menu; it should
behave just like a standard MBR. At local option, that functionality
may be enabled by the system administrator, via the `install-mbr'
command.
You will find that `install-mbr --help' displays the following:
Usage: install-mbr [options] <target>
Options:
-f, --force Override some sanity checks.
-I <path>, --install <path> Install code from the specified file.
-k, --keep Keep the current code in the MBR.
-l, --list Just list the parameters.
-n, --no-act Don't install anything.
-o <offset>, --offset <offset> Install the MBR at byte offset <offset>.
-P <path>, --parameters <path> Get parameters from <path>.
-r, --reset Reset the parameters to the default state.
-T <path>, --table <path> Get partition table from <path>.
-v, --verbose Operate verbosely.
-V, --version Show version.
-h, --help Display this message.
Parameters:
-d <drive>, --drive <drive> Set BIOS drive number.
-e <option>, --enable <option> Select enabled boot option.
-i <mode>, --interrupt <keys> Set interrupt mode. (a/c/s/cs/n)
-p <partn>, --partition <partn> Set boot partition (0=whole disk).
-t <timeout>, --timeout <timeout> Set the timeout in 1/18 second.
Interrupt modes:
's'=Interrupt if shift or ctrl is pressed.
'k'=Interrupt if other key pressed.
'a'=Interrupt always.
'n'=Interrupt never.
Boot options:
'1','2','3' or '4' - Partition 1,2,3 or 4.
'F' - 1st floppy drive.
'A' - Advanced mode.
Report bugs to neilt@chiark.greenend.org.uk
From `dbootstrap' (the familiar Debian installer program on the
rescue floppy) right after opting to install `mbr', a message dialog
will be displayed (unless the "quiet" bootarg was given) with the
following to say:
----------------------------------------------------------------------
Important Information about the installed MBR
The master boot record program that was just installed supports
several advanced options that have not been enabled by default.
The installed configuration will cause it to behave just like a
standard MBR. For information about the advanced features
supported by the mbr, please read the 'install-mbr' manual page.
----------------------------------------------------------------------
I have verified that the `install-mbr' man page is installed with the
base system. It will be available for reading after the standard
`man-db' setup is in place.
We hope that this will be sufficient grounds for closing bug #56821.
Karl M. Hegbloom <karlheg@debian.org>, on behalf of the `debian-boot'
team.
PS.
It has been brought up that _perhaps_ for `woody', an `mbr' and
`lilo' configuration widget can be added to `dbootstrap', allowing
one to enable and configure the advanced `mbr' functionality, and
even Lilo/Grub password access control features during installation.
--
Pierre Beyssac pb@enst.fr
(4761480) ------------------------------------------
4765034 2000-02-05 07:41 /77 rader/ Postmaster
Mottagare: Bugtraq (import) <9648>
Ärende: Re: vulnerability in Linux Debian default boot configuration
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5
protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp"
User-Agent: Mutt/1.0i
Message-ID: <20000203133746.A22421@visi.net>
Date: Thu, 3 Feb 2000 13:37:46 -0500
Reply-To: Ben Collins <bcollins@DEBIAN.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Ben Collins <bcollins@DEBIAN.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Just a quick comment. This was discussed (if you call a flame fest a
discussion) to a great extent on Debian's list. To sum up the
discussion:
a) The boot floppies were changed after this for potato to make sure the
user knows about the default setup (the MBR that allows booting from
floppy).
b) The vast majority of systems do not require physical security in this
manner, and the benefits for rescueing failed systems using this
feature outweighs the downside of the "issue".
c) It is felt that an admin who is first of all smart enough to setup the
BIOS and LILO to disable floppy booting, and is in dire need enough to
want this, should also be intelligent enough to know that the MBR is
part of the boot process, and thus they should expect to make changes
there aswell.
d) Given that 99.9% of computer systems are setup to not disable floppy
booting (forsaking the obviously biased percentage of people on this
list who do have it disabled), that it is not a problem to also have
this as the default.
e) Anyone who wants true physical security will use physical measures to
assure it. This means locked cases, locked racks, removing the floppy
alltogether. Thus the MBR plays a minor role in this type of security.
f) RTFM. The mbr program docs, and the LILO docs explain about the MBR and
security concerns dealing with it. Even disabling the floppy does not
assure physical security in a public manner (such as the machines that
the original poster is using...eg. publically accesable terminals).
Thanks,
Ben
PS: I am not subscribed to BUGTRAQ at the moment, so please Cc
questions. concerns.
--=20
-----------=3D=3D=3D=3D=3D=3D=3D-=3D-=3D=3D=3D=3D=3D=3D-=3D=3D=3D=3D=3D=3D=
=3D=3D=3D-----------=3D=3D=3D=3D=3D------------=3D-=3D------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bmc@visi.net '
`---=3D=3D=3D=3D=3D=3D=3D=3D=3D------=3D=3D=3D=3D=3D=3D=3D-------------=3D=
-=3D-----=3D-=3D=3D=3D-=3D=3D=3D=3D=3D=3D-------=3D--=3D---'
--LQksG6bCIzRHxTLp
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Some people are fools, some are just foolish
iD8DBQE4mcr5fNc/ZB4E7C0RAVmMAKCOIo7xIj6h/V9zxzOcVeo4hU9hxQCcCW8K
VSE3LqLSvM02IhCyaW6QZfk=
=KzS7
-----END PGP SIGNATURE-----
--LQksG6bCIzRHxTLp--
(4765034) ------------------------------------------(Ombruten)